Summary

Government officials are increasingly concerned about computer attacks from individuals and groups with malicious intentions, including terrorists and nations engaging in information warfare. The dramatic rise in the interconnectivity of computer systems has compounded this threat. Today, massive computer networks provide pathways among systems that, if not properly secured, can be used to gain unauthorized access to data and operations from remote locations. The National Plan for Information Systems Protection calls for strengthening the defenses against threats to critical public and private-sector computer systems--particularly those supporting public utilities, telecommunications, finance, emergency services, and government operations. The Plan is intended to begin a dialogue and help develop plans to protect other elements of the nation's infrastructure, including the physical infrastructure and the roles and responsibilities of state and local governments and private industry. In GAO's view, the Plan is an important and positive step toward building the cyber defenses necessary to protect critical information and infrastructures. It (1) identifies the risks arising from the nation's dependence on computer networks for critical services, (2) recognizes the need for the federal government to take the lead in addressing critical infrastructure risks and to serve as a model for information security, and (3) outlines key concepts and general initiatives to help achieve these goals. Opportunities exist, however, to improve the plan and address significant challenges to building the public-private partnership necessary for comprehensive infrastructure protections. GAO believes that, rather than emphasizing intrusion detection capabilities, the plan should strive to provide agencies with the incentives and the tools to implement the management controls essential to comprehensive computer security programs. Also, the plan relies heavily on legislation and requirements already in place that, as a whole, are outmoded and inadequate as well as poorly implemented by the agencies.

GAO noted that: (1) the National Plan for Information Systems Protection is intended as a first major element of a more comprehensive effort to protect the nation's information systems and critical assets from future attacks; (2) this preliminary version focuses largely on federal efforts being undertaken to protect the nation's critical cyber-based infrastructures; (3) subsequent versions are to address a broader range of concerns, including the specific role industry and state and local governments will play in protecting physical and cyber-based infrastructures from deliberate attack as well as international aspects of critical infrastructure protection; (4) the end goal of this process is to develop a comprehensive national strategy for infrastructure assurance as envisioned by Presidential Decision Directive 63; (5) making the federal government a model of good information security is essential to the plan's success; (6) recent audits conducted by GAO and agency inspectors general show that 22 of the largest federal agencies have significant computer security weaknesses, ranging from poor controls over access to sensitive systems and data, to poor control over software development and changes, and nonexistent or weak continuity of service plans; (7) agencies have not established security management programs to ensure that controls, once implemented properly, are effective on an ongoing basis; (8) GAO also observed that other crosscutting actions--ranging from clarifying the roles and responsibilities of the many entities involved in information security, to strengthening oversight, to securing adequate technical expertise and funding--were needed in seven key areas to provide greater assurance that critical infrastructure objectives can be met; (9) the second facet of the plan focuses on developing a public-private partnership to protect the nation's infrastructure; and (10) in doing so, the plan proposes developing mechanisms and improving incentives for the private sector to cooperate voluntarily with the federal government, as well as with state and local governments, to work together to provide for the common defense of the infrastructure.